Path: utzoo!attcan!uunet!shelby!apple!usc!cs.utexas.edu!wuarchive!texbell!nuchat!sugar!ficc!peter
From: peter@ficc.uu.net (Peter da Silva)
Newsgroups: alt.sources.d
Subject: Re: shars and security concerns.
Message-ID: <FQ53S_xds13@ficc.uu.net>
Date: 1 May 90 23:24:41 GMT
References: <662@n4hgf.uucp> <1152@chinacat.Unicom.COM> <518@cpsolv.CPS.COM> <1203@chinacat.Unicom.COM>
Reply-To: peter@ficc.uu.net (Peter da Silva)
Organization: Xenix Support, FICC
Lines: 14

I still fail to understand the security concerns of shars, apart from the
single case of comp.mail.maps.

Look at it this way... after you have carefully unpacked the shar in the
controlled environment of your chrooted directory tree, and so on, you're
going to then compile and run the stuff inside. Even fixing portability
problems by carefully answering questions from long interactive shell
scripts that you know you never bother to examine. If I was writing a
trojan horse I wouldn't put it in the shar, I'd put it in "Configure",
"build", "install", or whatever. Or even in the code... see my little
"Usenet Virus" posting, recently published in comp.virus.

I don't know. It's like worrying about potential carcinogens in the *label*
on your TV dinner.
-- 
 _--_|\  `-_-' Peter da Silva. +1 713 274 5180.      <peter@ficc.uu.net>
/      \  'U`  Have you hugged your wolf today?  <peter@sugar.hackercorp.com>
\_.--._/       Disclaimer: commercial solicitation by email to this address
      v                    is acceptable.